There is a growing proliferation of organizational networked computing systems. Every type of organization, be it a commercial company, a university, a bank, a government agency or a hospital, or any other kind of organization, heavily relies on one or more networks interconnecting multiple computing nodes. Failures of the networked computing system of an organization or even of only a portion of it might cause significant damage, up to and including completely shutting down all operations. Additionally, all data of the organization can exist somewhere on its networked computing system, including all confidential data comprising its “crown jewels” such as prices, details of customers, purchase orders, employees' salaries, technical formulas, etc. Loss of such data or leaks of such data to outside unauthorized entities might be disastrous for the organization.
As almost all organizational networks are connected to the Internet at least through one computing node, they are subject to attacks by computer hackers or by hostile adversaries. Quite often the newspapers report incidents in which websites have crashed, sensitive data has been stolen or service to customers has been denied, where the failures were the results of hostile penetration into an organization's networked computing system.
As a result, many organizations invest a lot of efforts and cost in preventive means designed to protect their computing networks against potential threats. There are many defensive products offered in the market claiming to provide protection against one or more known modes of attack, and many organizations arm themselves to the teeth with multiple products of this kind.
However, it is difficult to tell how effective such products really are in achieving their stated goals of blocking hostile attacks, and consequently most CISO's (Computer Information Security Officers) will admit that they don't really know how well they can withstand an attack from a given adversary. The only way to really know how strong and secure a system is, is by trying to attack it as a real adversary would. This is known as red-teaming or penetration testing (pen testing, in short), and is a very common approach that is even required by regulation in some developed countries.
Penetration testing requires highly talented people to man the red team. Those people should be familiar with each and every publicly known vulnerability and attacking method and should also have a very good familiarity with networking techniques and multiple operating systems implementations. Such people are hard to find and therefore many organizations give up establishing their own red teams and resort to hiring external expert consultants for carrying out that role (or completely give up penetration testing). But external consultants are expensive and therefore are typically called in only for brief periods separated by long intervals in which no such testing is done. This makes the penetration testing ineffective as vulnerabilities caused by new attacks that appear almost daily are discovered only months after becoming serious threats to the organization.
Additionally, even well-funded organizations that can afford to hire talented experts as in-house red teams do not achieve good protection. Testing for vulnerabilities of a large network containing many types of computers, operating systems, network routers and other devices is both a very complex and a very tedious process. The process is prone to human errors of missing testing for certain threats or misinterpreting the damages of certain attacks. Also, because a process of full testing against all threats is quite long, the organization might again end with a too long discovery period after a new threat appears.
Because of the above difficulties several vendors are proposing automated penetration testing systems. Such systems automatically discover and report vulnerabilities of a networked system, potential damages that might be caused to the networked system, and potential trajectories of attack that may be employed by an attacker.
A major goal of attackers of a networked system is to export important and confidential files out of the attacked networked system and into the attacker's hands. The exported data may be Excel files containing financial data, Word files containing business plans, password files containing passwords of multiple network nodes of the networked system, etc.
Not all network nodes of a networked system contain the same amount of important data and not all network nodes of a networked system contain data of the same importance or of the same confidentiality. For example, a finance manager's computer may contain dozens of Excel files containing confidential financial data, while an administration manager's computer in the same organization may contain only a couple of Word files containing unimportant administrative procedures.
Prior art penetration testing systems fail to take such facts into consideration, neither during the execution of penetration testing campaigns, nor when generating remediation recommendations after the completion of those campaigns.
When a user desires to operate a prior art penetration testing system for conducting a test on a specific networked system, the penetration testing system must know what test it should execute. For example, the penetration testing system must know what is the type of attacker against whom the test is making its assessment (a state-sponsored actor, a cyber-criminal etc.), and what are his capabilities. As another example, the penetration testing system must know what is the goal of the attacker according to which the attack will be judged as a success or a failure (copying a specific file and exporting it out of the tested networked system, encrypting a specific directory of a specific network node for demanding ransom, etc.).
A specific run of a specific test of a specific networked system by a penetration testing system is called a “campaign” of that penetration testing system. A collection of values for all information items a penetration testing system must know before executing a campaign is called “specifications of the campaign” or “scenario”. For example, the type of the attacker and the goal of the attacker are specific information items of a campaign, and specific values for them are parts of the specifications of any campaign.
One special information item of a campaign is the lateral movement strategy of the attacker during the campaign.
The lateral movement strategy of an attacker is the decision logic applied by the attacker of a campaign for selecting the next network node to try to compromise.
During a penetration testing campaign, it is assumed that the attacker makes progress by an iterative process, wherein in each iteration the attacker selects the next node to attack, based on the group of network nodes that are already compromised and controlled by the attacker. If the attack on the selected node is successful, that node is added to the group of nodes that are already compromised, and another iteration begins. If the attempt to compromise the selected node fails, another node is selected, either according to the lateral movement strategy in use or randomly.
All types of penetration testing systems, whether using simulated penetration testing, actual attack penetration testing or some other form of penetration testing, must use a lateral movement strategy. In penetration testing systems that actually attack the tested networked system, the lateral movement strategy selects the path of attack actually taken through the networked system. In penetration testing systems that simulate or evaluate the results of attacking the tested networked system, the lateral movement strategy selects the path of attack taken in the simulation or the evaluation through the networked system. Therefore, in the present disclosure, the term “attack” should be understood to mean “actual attack or simulated/evaluated attack”, the term “already controls” should be understood to mean “already controls or already determined to be able to control”, the term “already compromised” should be understood to mean “already compromised or already determined to be compromisable”, etc.
A simple example of a lateral movement strategy is a “depth first” strategy in which the next network node to attempt to compromise is a network node that is not yet compromised and is an immediate neighbor of the last network node that was compromised, provided such neighbor node exists. Two network nodes are “immediate neighbors” of each other if and only if they have a direct communication link between them that does not pass through any other network node.
Another simple example is a “breadth first” strategy, in which the next network node to attempt to compromise is a network node that is not yet compromised and whose distance from the first node compromised by the campaign is the smallest possible. The distance between two network nodes is the number of network nodes along the shortest path between them, plus one. A path is an ordered list of network nodes in which each pair of adjacent nodes in the list is a pair of immediate neighbors. Thus, the distance between two immediate neighbors is one.
An example of a more advanced lateral movement strategy is a strategy that is applicable when a goal of the attacker is related to a resource of the networked system that resides in a specific network node. In such case, the next network node to try to compromise may be selected by determining the shortest path in the networked system leading from an already compromised node to the specific node containing the desired resource and selecting the first node on the determined path as the next node to attempt to compromise. If the shortest path has a length of one, which occurs when the specific node is an immediate neighbor of an already compromised node, then the next node to attempt to compromise is the specific node containing the desired resource.
Another example of a lateral movement strategy is a strategy that gives priority to network nodes satisfying a specific condition, for example nodes that are known to have a specific weakness, such as running the Windows XP operating system. In such case, the next node to attempt to compromise is a node that satisfies the condition and is also either an immediate neighbor of or reachable from an already compromised node, if such a node exists.
Lateral movement strategies used in prior art penetration testing systems pay no attention to the files stored in network nodes considered as candidates for the selection of the next network node to attempt to compromise. As an example, suppose the above-mentioned computers of the financial manager and the administration manager are the only two candidates for selection in a penetration testing system that uses the breadth-first lateral management strategy. If it so happens that the distance between the administration manager's computer and the first node compromised by the current campaign is smaller than the distance between the finance manager's computer and the first node compromised by the current campaign, then the breadth-first strategy will cause the selection of the administration manager's computer as the next node to attempt to compromise, even though the “spoil” (a.k.a. “yield”) gained from compromising the finance manager's computer has much higher value.
The problem demonstrated by the above example is not only that the order of compromising network nodes is not reasonable—compromising less-valuable nodes before more-valuable nodes. Many penetration testing campaigns are carried out under a time limit, forcing them to terminate once the time limit is over. In such campaigns the unreasonable order of targeting nodes might result in terminating the campaign before a highly valuable node containing critical files is reached.
Thus, lateral movement strategies of prior art penetration testing systems might generate non-optimal movements during a campaign, causing a penetration campaign to miss opportunities available to attackers for capturing highly valuable file assets. In such case the result of a penetration test might give the user a false and unjustified sense of security.
Similarly, remediation recommendations generated by prior art penetration testing systems based on results of penetration testing campaigns pay no attention to the quantity and importance of data stored in files residing in network nodes of the tested networked system. As an example, suppose the above-mentioned computers of the financial manager and the administration manager are both identified by a campaign as points of vulnerability that might fail against a direct attack by an attacker. If it so happens that the cost of exploitation for an attacker to compromise the finance manager's computer is a bit higher than the cost of exploitation for an attacker to compromise the administration manager's computer, and the cost of remediation for the finance manager's computer to block its vulnerability is a bit higher than the cost of remediation for the administration manager's computer to block its vulnerability, then prior art penetration testing systems will typically recommend giving higher priority to fixing the vulnerability of the administration manager's computer, even though the real benefit from fixing the vulnerability of the finance manager's computer is much higher.
Thus, prior art penetration testing systems might generate non-optimal remediation recommendations following a campaign, causing a penetration test to result in investing resources in fixing a vulnerability that is not the most important to fix.